What It Does
Arrakis is a self-hosted sandboxing platform for running untrusted AI agent code in isolated environments. Each sandbox is a lightweight microVM powered by Cloud Hypervisor (a Rust-based VMM from the Intel/Microsoft ecosystem, built on the same rust-vmm components as AWS Firecracker). Sandboxes run a full Ubuntu environment with a pre-installed code execution service, VNC server, and Chrome browser, making them suitable for both headless code execution and full computer-use scenarios.
The platform’s defining feature is native snapshot-and-restore: agents can checkpoint a running sandbox to disk and restore it to that exact state later, including full memory and CPU state. This enables backtracking in multi-step workflows — an AI agent can explore one path, revert, and try another — which aligns with Monte Carlo Tree Search-style agent architectures. Management is exposed via a REST API (arrakis-restserver daemon), a Go CLI (arrakis-client), a Python SDK (py-arrakis on PyPI), and an MCP server for integration with Claude Desktop, Cursor, and Windsurf.
The project is authored by Abhishek Bhardwaj, an OpenAI agent infrastructure engineer who previously worked on ChromeOS virtualization at Google (founding engineer on Android app support and Linux dev environments) and as Staff Platform engineer at Replit.
Key Features
- Cloud Hypervisor microVM isolation: Hardware-enforced VM isolation using a Rust-based VMM; stronger than container isolation (Docker/gVisor), comparable to Firecracker in security model
- Snapshot-and-restore: Checkpoint full VM state (memory + CPU) to disk and restore deterministically; supports agent backtracking and MCTS-style exploration
- Computer use ready: Each sandbox includes a pre-installed VNC server and Chrome browser for graphical desktop automation tasks
- overlayfs root filesystem: The base guest image is shared across sandbox instances via overlayfs, reducing disk usage per sandbox
- TAP networking with port forwarding: Automatic host-to-sandbox port forwarding via Linux bridge networking; SSH and VNC accessible from the host
- REST API + Python SDK: arrakis-restserver daemon manages VM lifecycle; py-arrakis Python SDK available on PyPI
- MCP server integration: Separate arrakis-mcp-server repo wraps the REST API as an MCP server for AI assistant tooling
- Dockerfile-based customization: Extend the base Ubuntu guest image with additional dependencies via standard Dockerfile syntax
- Go CLI: arrakis-client CLI for human operators managing sandbox lifecycle from the terminal
Use Cases
- Self-hosted AI agent code execution: Teams that cannot send code to third-party cloud providers (regulated industries, proprietary IP) and need hardware-level sandbox isolation with full infrastructure control
- Computer use agent development: Building and testing agents that control a desktop browser, GUI applications, or run interactive programs requiring a display
- Agent backtracking and exploration: Implementing MCTS-style tree search where an agent explores multiple execution paths, snapshotting at branch points and restoring to explore alternatives
- AI agent development on a budget: Open-source alternative to E2B for teams comfortable with self-hosting who want zero per-execution cost
Adoption Level Analysis
Small teams (<20 engineers): Viable for development and experimentation. Self-hosting gives full control. The free (as in cost) model has no per-execution fees. However, setup requires a KVM-capable Linux host, cloud-hypervisor binary, prebuilt guest kernel, Docker, and root access for iptables — this is non-trivial. Expect to invest a few hours on initial setup. Not suitable for managed cloud deployment out of the box.
Medium orgs (20–200 engineers): Poor fit in current state. No multi-tenant management plane, no centralized monitoring, no per-user quotas, no audit logging. The REST API has no described authentication — it is a localhost daemon by design. Deploying this in a shared production environment would require building significant management tooling on top. The AGPL-3.0 license may also be a legal blocker for commercial products.
Enterprise (200+ engineers): Does not fit. No SOC 2, no enterprise support, no managed offering, no security audit. Commercial licensing is listed as available on request, but there is no information about its terms or pricing.
Alternatives
| Alternative | Key Difference | Prefer when… |
|---|---|---|
| E2B | Managed SaaS, Firecracker microVMs, sub-200ms cold starts, 200M+ sandboxes run | You want a managed service with no ops burden and production-grade SLA |
| Microsandbox | libkrun microVMs, network-layer secret injection, local-first, macOS support | You need secrets never to leave the host machine and can trade features for security |
| Daytona | Docker-based, sub-90ms cold starts, computer-use focus, open source | You need fast ephemeral environments and Docker-level isolation is acceptable |
| Sprites (Fly.io) | Managed Firecracker, checkpoint/restore, persistent 100GB volumes, auto-sleep billing | You need persistent agent state between sessions with production reliability |
| Zeroboot | Sub-millisecond restore via CoW Firecracker snapshot forking (research prototype) | You need extreme parallelism with fast branch forking (accept research-stage maturity) |
| OpenSandbox | Self-hosted, Alibaba-backed, multi-language SDKs, Docker/K8s runtimes | You want self-hosted but need multi-language SDK support and Kubernetes-native deployment |
Evidence & Sources
- GitHub repository — abshkbh/arrakis
- Detailed README (architecture and technical constraints)
- Show HN: Arrakis — Hacker News community discussion
- Arrakis: How To Build An AI Sandbox From Scratch — AI Engineer talk (YouTube)
- Guide to Cloud Hypervisor — Northflank
- How to sandbox AI agents in 2026: MicroVMs, gVisor & isolation strategies — Northflank
- The State of MicroVM Isolation in 2026 — emirb.github.io
Notes & Caveats
- Hardcoded default SSH credentials: The guest Dockerfile contains a hardcoded SSH password (“elara0000”). Any production deployment that does not change this credential is trivially compromised. This is a serious operational security concern that should be addressed before any multi-user or internet-exposed deployment.
- REST API has no authentication: The arrakis-restserver daemon is designed as a localhost service with no described authentication or authorization layer. Exposing it to a network requires adding a reverse proxy with auth.
- Root access required: Root is currently needed to configure iptables for guest networking. The README notes “Removing the root dependency is being currently worked on.” Running sandbox management infrastructure as root increases blast radius if the server is compromised.
- IP address conflict on restore: Restoring a snapshot while the original VM is still running causes IP conflicts. The workaround (“stop or destroy the original VM before restoring”) precludes parallel branch exploration — a core use case the project claims to support.
- No published startup latency: The documentation states a goal of “under 500ms” startup time but notes it is “ongoing work,” implying current latency exceeds 500ms. No measured baseline is given. Compare to E2B’s claimed sub-200ms.
- AGPL-3.0 license: If you use Arrakis as a network service and modify it, AGPL requires you to publish those modifications. This may be a blocker for commercial products that want to use Arrakis as a backend service without open-sourcing their code. Commercial licensing is available “on request” but terms are not public.
- Single maintainer / personal project: The repository is owned by an individual (abshkbh), not an organization. Bus factor is 1. No governance structure, no roadmap publication, no issue SLAs. Contributions require signing a CLA via CLA Assistant.
- Build complexity: Requires assembling several binary artifacts (cloud-hypervisor, prebuilt kernel vmlinux.bin) in addition to the Go build. Not a single-command install. Docker is needed for rootfs construction.
- No GPU support: Sandboxes run CPU-only Ubuntu. No GPU passthrough. Not suitable for ML training or inference workloads inside the sandbox.